Re: -fPIE and stuff

[Simon McVittie <smcv@debian.org>]

On 29/01/12 23:25, Russ Allbery wrote:
> For PIE, the main practical problem with PIE is that PIE and PIC conflict,
> so you can't just add -fPIE to the compiler flags of a package that builds
> both executables and libraries.

I investigated this for D-Bus (which builds a security-sensitive daemon,
dbus-daemon, and a library, libdbus). It turns out that libtool is
clever enough to replace -fPIE with -fPIC -DPIC when compiling objects
that will go in a shared library, and omit -pie when linking shared
libraries, so if your hybrid executable|library package uses libtool (as
D-Bus does), you *can* just add the PIE flags:

    https://bugs.freedesktop.org/show_bug.cgi?id=16621#c9

(If your upstream has an ancient libtool, you might need to
re-libtoolize - but do that anyway, tbh. dh_autoreconf makes it quite
straightforward.)

As a result, I dropped the elaborate machinery from the upstream build
system to apply -fPIE in the compiler flags of only those objects that
will end up in an executable, in favour of recommending that
distributions use something like
'./configure CFLAGS=-fPIE LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"' or the
dpkg-buildflags equivalent.

At some point I should update the dbus source package to use the right
magic options to dpkg-buildflags, but for now it's still using
hardening-wrapper and seems to work fine.

    S